第一次在数据库中哈希密码 [英] Hashing passwords in DB for first time

问题描述

HI，
我们如何在已经存在的数据库中对密码进行哈希处理?数据库中的密码为明文，这是一个安全问题.我不想使用内置的SQL Server哈希函数，但创建自己的应用程序以对密码进行哈希处理.我正在考虑创建数据类型为varbinary(16)的另一列-MD5 hash-，并在其中存储哈希值，然后删除明文密码列.
另外，我读到盐腌非常重要.你们有什么感想?任何想法都是最欢迎的.

How can we hash the passwords in an already existing database? The passwords in the database are in clear text, which is a security issue. I don''t want to use the in-built SQL Server hash functions, but create my own application for hashing the passwords. I was thinking of creating another column of datatype varbinary(16) -MD5 hash- and storing the hashed values there and deleting the cleartext password column.
ALso, I read that salting is very important. What do you guys think? Any ideas are most welcome.

推荐答案

以纯文本格式存储密码确实不是一个好主意.永远不要那样做.

您可以将密码转换为代码级别的哈希，并以字符串形式存储在数据库中.您正在使用C#或其他工具吗?

Storing passwords in plain text is really bad idea. Don''t ever do that.

You can convert the password into hash in code level and store in the database as a character string. Are you working with C# or something else?

1.编写一个快速的控制台应用程序以对SQL外部的密码进行哈希处理.
2.是的，盐.

1. Write a quick console app to hash the passwords outside of SQL.
2. Yes, salt.

您将不得不在数据库中添加另一列pwd_salt
并随机生成pwd_salt

将pwd + pwd_salt连接到字符串
将字符串转换为字节
并使用.net类的System.Security.Cryptography.SHA1Managed中的computehash函数来计算哈希.

You will have to add another column pwd_salt in the database
and generate the pwd_salt randomly

concate pwd + pwd_salt to a string
convert string to bytes
and use computehash function from System.Security.Cryptography.SHA1Managed of .net class to compute hash.

这篇关于第一次在数据库中哈希密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！